Hostname not verified when decorating Gitlab Merge Requests

  • SonarQube version 8.3.1
  • SonarQube will not decorate Merge Requests due to Gitlab having a self signed SSL certificate.

java.lang.IllegalStateException: Hostname <GitLab Hostname> not verified:

We are unable to give it anything other than a self signed certificate in our environment. Is there a way that we can disable SSL verification for the MR decoration?

Sonarqube works fine otherwise.

Hi, no you can’t turn off the SSL verification. What you can do is generate a valid, self-signed SSL certificate that includes the hostname and aliases. More specifically, you need to add the X509v3 Subject Alternative Name extension to your certificate.

Hi Pierre,

I’ve created a SAN certificate and added it to the keystore, however the issue still remains. I’m thinking that Sonar is not reading the new certificate and still giving the same error. Do you have any other suggestions?

Are you actually using that new certificate on gitlab or did you only add it to the sonarqube keystore? The latter won’t do anything.

I added it to GitLab as well.

Hi @claybuxton ,

would you mind taking us on a little debugging tour? :slight_smile:
I think that there is something wrong with the certificate or the keystore but we need to find out what, so let’s burrow the old SSLPoke from Atlassian and see if this one is able to connect successfully

javac SSLPoke.java
java SSLPoke server 443

this will basically just try to create a TLS session with the server you provide on the port you provide and fail if this session can not be validated. if this is failing, then we know that the error is the keystore or the certificate for sure.

the next point to look for information is to extract the archive and have a look at the extensions using javas keytool:

keytool -list -v -keystore path_to_keystore_file
keytool -export -alias alias_name -keystore path_to_keystore_file -rfc -file path_to_certificate_file

where:

  • alias_name: Specifies the same alias that was used to generate the certificate.
  • path_to_keystore_file: Specifies the same KeyStore path that was used to generate the certificate.
  • path_to_certificate_file: Specifies the exported certificate file, often given an extension of .cert.

you should be able to check the resulting certificate using openssl

hope that gives us a little more insight what’s going on here :slight_smile:

I see it’s a long story, but still relevant.

Most java apps cannot handle SNI, although it is a standard of more than a decade.

When the webserver serves more than one HTTPS site, there’s always a default. Java as an HTTPS client always checks the URL hostname with the default site’s certificate, which is nonsense.

Any browser can ask for the certificate of the requested site, instead of the default site, but java HTTPS client.

My problem is, that all the certs are installed on the nginx reverse proxy, which does the HTTPS offloading, communicates with the backends on HTTP.

Its default site is “https://sonar”, because gradle is a dummy like above too, so otherwise, it won’t work.

Now the problem is the same, but with sonar as a client, and gitlab as the hostname of the server…

I can not understand how it is possible, that java cannot use a standard this old.

I really don’t want to change the way we handle certificates!!!

Please tell me there’s a way to make java smart enough to match the 2006 Internet Explorer!

The host certificates on the server all signed by the corporate certificate which is installed in the container running sonarqube-developer 9.2.1

The error message is:

...
sonarqube_1  | 	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
sonarqube_1  | 	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
sonarqube_1  | 	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
sonarqube_1  | 	at java.base/java.lang.Thread.run(Thread.java:829)
sonarqube_1  | 2021.12.09 15:02:55 INFO  web[AX2ft4eACPyVT8dIAAAk][o.s.a.c.g.GitlabHttpClient] Gitlab API call to [https://gitlab/api/v4/projects] failed with error message : [Hostname gitlab not verified:\n    certificate: sha256/oDMTiKg5kh+myA0Af85FALWobY6PTCPYr5cryNNDlbc=\n    DN: CN=sonar\n    subjectAltNames: [sonar]]
sonarqube_1  | javax.net.ssl.SSLPeerUnverifiedException: Hostname gitlab not verified:
sonarqube_1  |     certificate: sha256/oDMTiKg5kh+myA0Af85FALWobY6PTCPYr5cryNNDlbc=
sonarqube_1  |     DN: CN=sonar
sonarqube_1  |     subjectAltNames: [sonar]
sonarqube_1  | 	at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:389)
sonarqube_1  | 	at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
sonarqube_1  | 	at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
...

ok, I managed to solve this finally

created a dummy certificate with all the hostnames as alternate names, and installed as default server certificate on the nginx reverse proxy